csn1: Validate recursive array max size during decoding

This way if CSN1 encoded bitstream contains more elements than what the defintion expects it will fail instead of overflowing the decoded buffer. RA cap struct placed in unit test is taken from a real android phone sending the value when attaching to the network. Then SGSN sends it back and osmo-pcu would crash similar to unit test: *** stack smashing detected ***: terminated Process terminating with default action of signal 6 (SIGABRT): dumping core at 0x4C62CE5: raise (in /usr/lib/libc-2.31.so) by 0x4C4C856: abort (in /usr/lib/libc-2.31.so) by 0x4CA62AF: __libc_message (in /usr/lib/libc-2.31.so) by 0x4D36069: __fortify_fail (in /usr/lib/libc-2.31.so) by 0x4D36033: __stack_chk_fail (in /usr/lib/libc-2.31.so) by 0x124706: testRAcap2(void*) (RLCMACTest.cpp:468) Related: OS#4463 Change-Id: I9fe0e55e0a6a41ae2cc885fba490c1d4a186231e
author: Pau Espin Pedrol <pespin@sysmocom.de> 2020-03-23 14:35:26 +0100
committer: Pau Espin Pedrol <pespin@sysmocom.de> 2020-03-23 15:34:11 +0100
commit: efad80bfbffb2a35d2516e56dc40979f19c6c370 (patch)
tree: 831ecb8135f941a4079bd474505d3caf361bc7b3 /tests
parent: 81b40cbaf3070f70954663f68375100128bdc77e (diff)
3 files changed, 144 insertions, 0 deletions
diff --git a/tests/rlcmac/RLCMACTest.cpp b/tests/rlcmac/RLCMACTest.cpp
index 6529d4de..058d57e3 100644
--- a/tests/rlcmac/RLCMACTest.cpp
+++ b/tests/rlcmac/RLCMACTest.cpp
@@ -328,6 +328,146 @@ void testMalformedRAcap(void *test_ctx)
 	bitvec_free(bv_dec);
 }
 
+/* Reproduce crash from ticket OS#4463 */
+void testRAcap2(void *test_ctx)
+{
+	printf("*** %s ***\n", __func__);
+	MS_Radio_Access_capability_t data;
+	memset(&data, 0, sizeof(data));
+	bitvec *bv_dec = bitvec_alloc(23, test_ctx);
+	int rc;
+/*
+MS Radio Access Capability
+    Element ID: 0x13
+    1... .... = ext: 1
+    Length: 23
+    ------------------------------------------- Hex bitstream starts here:
+    MS RA capability 1
+        0001 .... = Access Technology Type: GSM E --note that GSM E covers GSM P (1)
+        .... 1001  001. .... = Length in bits: 0x49 (73)
+        ...1 00.. RF Power Capability, GMSK Power Class: 2 W (33 dBm) (4)
+        A5 Bits: A5 bits follow (1)
+        A5/1: encryption algorithm available (1)
+        A5/2: encryption algorithm not available (0)
+        A5/3: encryption algorithm available (1)
+        A5/4: encryption algorithm not available (0)
+        A5/5: encryption algorithm not available (0)
+        A5/6: encryption algorithm not available (0)
+        A5/7: encryption algorithm not available (0)
+        .... ..1. = Controlled early Classmark Sending: Implemented
+        .... ...1 = Pseudo Synchronisation: Present
+        0... .... = Voice Group Call Service: no VGCS capability or no notifications wanted
+        .0.. .... = Voice Broadcast Service: no VBS capability or no notifications wanted
+        ..1. .... = Multislot capability struct: Present
+            HSCSD multislot class: Bits are not available (0)
+            .... 0111 = SMS_VALUE (Switch-Measure-Switch): 8/4 timeslot (~1154 microseconds) (7)
+            0001 .... = (SM_VALUE) Switch-Measure: 2/4 timeslot (~288 microseconds) (1)
+            ECSD multislot class: Bits are not available (0)
+            .... ...0 = Single Slot DTM: Not supported
+            1... .... = DTM EGPRS Multi Slot Class: Present
+        .... .011  00.. .... = GPRS multislot class: Max Rx-Slot/TDMA:4 Max Tx-Slot/TDMA:4 Max-Sum-Slot/TDMA:5 Tta:2 Ttb:1 Tra:2 Trb:1 Type:1 (12)
+        ..1. .... = GPRS Extended Dynamic Allocation Capability: Implemented
+        .... ..01  100. .... = EGPRS multislot class: Max Rx-Slot/TDMA:4 Max Tx-Slot/TDMA:4 Max-Sum-Slot/TDMA:5 Tta:2 Ttb:1 Tra:2 Trb:1 Type:1 (12)
+        ...1 .... = EGPRS Extended Dynamic Allocation Capability: Implemented
+        .... .11. = DTM GPRS Multi Slot Class: Multislot class 11 supported (3)
+        .11. .... = DTM EGPRS Multi Slot Class: Multislot class 11 supported (3)
+        ...1 .... = 8PSK Power Capability Bits: Present
+        8PSK Power Capability: Power class E2 (2)
+        .... ..0. = COMPACT Interference Measurement Capability: Not Implemented
+        .... ...1 = Revision Level Indicator: The ME is Release '99 onwards
+        0... .... = UMTS FDD Radio Access Technology Capability: Not supported
+        .0.. .... = UMTS 3.84 Mcps TDD Radio Access Technology Capability: Not supported
+        ..0. .... = CDMA 2000 Radio Access Technology Capability: Not supported
+        ...0 .... = UMTS 1.28 Mcps TDD Radio Access Technology Capability: Not supported
+        .... 1... = GERAN Feature Package 1: Supported
+        Extended DTM EGPRS Multi Slot Class: Bits are not available (0)
+        .... ..0. = Modulation based multislot class support: Not supported
+        High Multislot Capability: Bits are not available (0)
+        0... .... = GERAN Iu mode: Not supported
+        GMSK Multislot Power Profile: GMSK_MULTISLOT_POWER_PROFILE 3 (3)
+        8-PSK Multislot Power Profile: 8-PSK_MULTISLOT_POWER_PROFILE 3 (3)
+        .... .0.. = Multiple TBF Capability: Not supported
+        .... ..01 = Downlink Advanced Receiver Performance: Downlink Advanced Receiver Performance - phase I supported (1)
+        1... .... = Extended RLC/MAC Control Message Segmentation Capability: Supported
+        .1.. .... = DTM Enhancements Capability: The mobile station supports enhanced DTM CS establishment and enhanced DTM CS release procedures
+        ...0 .... = PS Handover Capability: Not supported
+    MS RA capability 2
+        .... .011  1... .... = Access Technology Type: GSM 850 (7)
+        .010 0010 = Length in bits: 0x22 (34)
+        100. .... RF Power Capability, GMSK Power Class: 2 W (33 dBm) (4)
+        A5 Bits: Same values apply for parameters as in the immediately preceding Access capabilities field within this IE (0)
+        .... 1... = Controlled early Classmark Sending: Implemented
+        .... .1.. = Pseudo Synchronisation: Present
+        .... ..0. = Voice Group Call Service: no VGCS capability or no notifications wanted
+        .... ...0 = Voice Broadcast Service: no VBS capability or no notifications wanted
+        0... .... = Multislot capability struct: Not Present
+        .1.. .... = 8PSK Power Capability Bits: Present
+        8PSK Power Capability: Power class E2 (2)
+        .... 0... = COMPACT Interference Measurement Capability: Not Implemented
+        .... .1.. = Revision Level Indicator: The ME is Release '99 onwards
+        .... ..0. = UMTS FDD Radio Access Technology Capability: Not supported
+        .... ...0 = UMTS 3.84 Mcps TDD Radio Access Technology Capability: Not supported
+        0... .... = CDMA 2000 Radio Access Technology Capability: Not supported
+        .0.. .... = UMTS 1.28 Mcps TDD Radio Access Technology Capability: Not supported
+        ..1. .... = GERAN Feature Package 1: Supported
+        Extended DTM EGPRS Multi Slot Class: Bits are not available (0)
+        .... 0... = Modulation based multislot class support: Not supported
+        High Multislot Capability: Bits are not available (0)
+        .... ..0. = GERAN Iu mode: Not supported
+        GMSK Multislot Power Profile: GMSK_MULTISLOT_POWER_PROFILE 3 (3)
+        8-PSK Multislot Power Profile: 8-PSK_MULTISLOT_POWER_PROFILE 3 (3)
+        ...0 .... = Multiple TBF Capability: Not supported
+        .... 01.. = Downlink Advanced Receiver Performance: Downlink Advanced Receiver Performance - phase I supported (1)
+        .... ..1. = Extended RLC/MAC Control Message Segmentation Capability: Supported
+        .... ...1 = DTM Enhancements Capability: The mobile station supports enhanced DTM CS establishment and enhanced DTM CS release procedures
+        .0.. .... = PS Handover Capability: Not supported
+    MS RA capability 3
+        ...0 011. = Access Technology Type: GSM 1800 (3)
+        .... ...0  1000 10.. = Length in bits: 0x22 (34)
+        .... ..00  1... .... RF Power Capability, GMSK Power Class: 1 W (30 dBm) (1)
+        A5 Bits: Same values apply for parameters as in the immediately preceding Access capabilities field within this IE (0)
+        ..1. .... = Controlled early Classmark Sending: Implemented
+        ...1 .... = Pseudo Synchronisation: Present
+        .... 0... = Voice Group Call Service: no VGCS capability or no notifications wanted
+        .... .0.. = Voice Broadcast Service: no VBS capability or no notifications wanted
+        .... ..0. = Multislot capability struct: Not Present
+        .... ...1 = 8PSK Power Capability Bits: Present
+        8PSK Power Capability: Power class E2 (2)
+        ..0. .... = COMPACT Interference Measurement Capability: Not Implemented
+        ...1 .... = Revision Level Indicator: The ME is Release '99 onwards
+        .... 0... = UMTS FDD Radio Access Technology Capability: Not supported
+        .... .0.. = UMTS 3.84 Mcps TDD Radio Access Technology Capability: Not supported
+        .... ..0. = CDMA 2000 Radio Access Technology Capability: Not supported
+        .... ...0 = UMTS 1.28 Mcps TDD Radio Access Technology Capability: Not supported
+        1... .... = GERAN Feature Package 1: Supported
+        Extended DTM EGPRS Multi Slot Class: Bits are not available (0)
+        ..0. .... = Modulation based multislot class support: Not supported
+        High Multislot Capability: Bits are not available (0)
+        .... 0... = GERAN Iu mode: Not supported
+        GMSK Multislot Power Profile: GMSK_MULTISLOT_POWER_PROFILE 3 (3)
+        8-PSK Multislot Power Profile: 8-PSK_MULTISLOT_POWER_PROFILE 3 (3)
+        .0.. .... = Multiple TBF Capability: Not supported
+        ..01 .... = Downlink Advanced Receiver Performance: Downlink Advanced Receiver Performance - phase I supported (1)
+        .... 1... = Extended RLC/MAC Control Message Segmentation Capability: Supported
+        .... .1.. = DTM Enhancements Capability: The mobile station supports enhanced DTM CS establishment and enhanced DTM CS release procedures
+        .... ...0 = PS Handover Capability: Not supported
+*/
+	bitvec_unhex(bv_dec, "1933432b37159ef90879cba28c6421e72688b190879c00");
+
+	printf("=== Test decoding of multi-band MS RA Capability ===\n");
+	rc = decode_gsm_ra_cap(bv_dec, &data);
+	OSMO_ASSERT(rc == CSN_ERROR_STREAM_NOT_SUPPORTED);
+#if 0
+	/* Make sure there's 1 value (currently fails due to failed decoding) */
+	OSMO_ASSERT(data.Count_MS_RA_capability_value == 3);
+
+	/* Make sure GPRS / EGPRS multislot class is parsed correctly */
+	printf("GPRS multislot class = %u\n", Decoding::get_ms_class_by_capability(&data));
+	printf("EGPRS multislot class = %u\n", Decoding::get_egprs_ms_class_by_capability(&data));
+#endif
+	bitvec_free(bv_dec);
+}
+
 int main(int argc, char *argv[])
 {
 	void *ctx = talloc_named_const(NULL, 1, "RLCMACTest");
@@ -346,5 +486,6 @@ int main(int argc, char *argv[])
 	testCsnLeftAlignedVarBmpBounds(ctx);
 	testRAcap(ctx);
 	testMalformedRAcap(ctx);
+	testRAcap2(ctx);
 	talloc_free(ctx);
 }
diff --git a/tests/rlcmac/RLCMACTest.err b/tests/rlcmac/RLCMACTest.err
index 4434d9b2..b225bfd8 100644
--- a/tests/rlcmac/RLCMACTest.err
+++ b/tests/rlcmac/RLCMACTest.err
@@ -39,3 +39,4 @@ DRLCMACDATA ERROR Failed to encode MS RA Capability IE: not enough bits in the o
 DCSN1 INFO csnStreamDecoder (RAcap): MS_RA_capability_value { | Choice MS_RA_capability_value_Choice = 1 | u.Content length = 21 | offset = 4 | RF_Power_Capability = 1 | Exist_A5_bits = 0 | ES_IND = 1 | PS = 0 | VGCS = 0 | VBS = 0 | Exist_Multislot_capability = 1 |  : Multislot_capability | Exist_HSCSD_multislot_class = 0 | Exist_GPRS_multislot_class = 1 | GPRS_multislot_class = 3 | GPRS_Extended_Dynamic_Allocation_Capability = 0 | Exist_SM = 0 | Exist_ECSD_multislot_class = 0 | Exist_EGPRS_multislot_class = 1 | DCSN1 ERROR csnStreamDecoder: error NEED_MORE BITS TO UNPACK (-5) at EGPRS_multislot_class (idx 31): End Multislot_capability | 
 DCSN1 INFO csnStreamDecoder (RAcap): MS_RA_capability_value { | Choice MS_RA_capability_value_Choice = 1 | u.Content length = 29 | offset = 4 | RF_Power_Capability = 1 | Exist_A5_bits = 0 | ES_IND = 1 | PS = 0 | VGCS = 0 | VBS = 0 | Exist_Multislot_capability = 1 |  : Multislot_capability | Exist_HSCSD_multislot_class = 0 | Exist_GPRS_multislot_class = 1 | GPRS_multislot_class = 3 | GPRS_Extended_Dynamic_Allocation_Capability = 0 | Exist_SM = 0 | Exist_ECSD_multislot_class = 0 | Exist_EGPRS_multislot_class = 1 | EGPRS_multislot_class = 0 | EGPRS_Extended_Dynamic_Allocation_Capability = 0 | Exist_DTM_GPRS_multislot_class = 0 | : End Multislot_capability | Exist_Eight_PSK_Power_Capability = 0 | COMPACT_Interference_Measurement_Capability = 0 | Revision_Level_Indicator = NULL | UMTS_FDD_Radio_Access_Technology_Capability = NULL | UMTS_384_TDD_Radio_Access_Technology_Capability = NULL | CDMA2000_Radio_Access_Technology_Capability = NULL | UMTS_128_TDD_Radio_Access_Technology_Capability = NULL | GERAN_Feature_Package_1 = NULL | Modulation_based_multislot_class_support = NULL | GMSK_MultislotPowerProfile = NULL | EightPSK_MultislotProfile = NULL | MultipleTBF_Capability = NULL | DownlinkAdvancedReceiverPerformance = NULL | ExtendedRLC_MAC_ControlMessageSegmentionsCapability = NULL | DTM_EnhancementsCapability = NULL | PS_HandoverCapability = NULL | DTM_Handover_Capability = NULL | FlexibleTimeslotAssignment = NULL | GAN_PS_HandoverCapability = NULL | RLC_Non_persistentMode = NULL | ReducedLatencyCapability = NULL | UplinkEGPRS2 = NULL | DownlinkEGPRS2 = NULL | EUTRA_FDD_Support = NULL | EUTRA_TDD_Support = NULL | GERAN_To_EUTRAN_supportInGERAN_PTM = NULL | PriorityBasedReselectionSupport = NULL | MS_RA_capability_value } | 
 DRLCMACDATA NOTICE Got 143 remaining bits unhandled by decoder at the end of bitvec
+DCSN1 INFO csnStreamDecoder (RAcap): MS_RA_capability_value { | Choice MS_RA_capability_value_Choice = 1 | u.Content length = 73 | offset = 4 | RF_Power_Capability = 4 | Exist_A5_bits = 1 | A5_bits = 80 | ES_IND = 1 | PS = 1 | VGCS = 0 | VBS = 0 | Exist_Multislot_capability = 1 |  : Multislot_capability | Exist_HSCSD_multislot_class = 0 | Exist_GPRS_multislot_class = 1 | GPRS_multislot_class = 12 | GPRS_Extended_Dynamic_Allocation_Capability = 1 | Exist_SM = 1 | SMS_VALUE = 7 | SM_VALUE = 1 | Exist_ECSD_multislot_class = 0 | Exist_EGPRS_multislot_class = 1 | EGPRS_multislot_class = 12 | EGPRS_Extended_Dynamic_Allocation_Capability = 1 | Exist_DTM_GPRS_multislot_class = 1 | DTM_GPRS_multislot_class = 3 | Single_Slot_DTM = 0 |  : DTM_EGPRS_Params | Exist_DTM_EGPRS_multislot_class = 1 | DTM_EGPRS_multislot_class = 3 | : End DTM_EGPRS_Params | : End Multislot_capability | Exist_Eight_PSK_Power_Capability = 1 | Eight_PSK_Power_Capability = 2 | COMPACT_Interference_Measurement_Capability = 0 | Revision_Level_Indicator = 1 | UMTS_FDD_Radio_Access_Technology_Capability = 0 | UMTS_384_TDD_Radio_Access_Technology_Capability = 0 | CDMA2000_Radio_Access_Technology_Capability = 0 | UMTS_128_TDD_Radio_Access_Technology_Capability = 0 | GERAN_Feature_Package_1 = 1 | Exist_Extended_DTM_multislot_class = 0 | Modulation_based_multislot_class_support = 0 | Exist_HighMultislotCapability = 0 | Exist_GERAN_lu_ModeCapability = 0 | GMSK_MultislotPowerProfile = 3 | EightPSK_MultislotProfile = 3 | MultipleTBF_Capability = 0 | DownlinkAdvancedReceiverPerformance = 1 | ExtendedRLC_MAC_ControlMessageSegmentionsCapability = 1 | DTM_EnhancementsCapability = 1 | Exist_DTM_GPRS_HighMultislotClass = 0 | PS_HandoverCapability = 0 | DTM_Handover_Capability = NULL | FlexibleTimeslotAssignment = NULL | GAN_PS_HandoverCapability = NULL | RLC_Non_persistentMode = NULL | ReducedLatencyCapability = NULL | UplinkEGPRS2 = NULL | DownlinkEGPRS2 = NULL | EUTRA_FDD_Support = NULL | EUTRA_TDD_Support = NULL | GERAN_To_EUTRAN_supportInGERAN_PTM = NULL | PriorityBasedReselectionSupport = NULL | MS_RA_capability_value } | MS_RA_capability_value { | Choice MS_RA_capability_value_Choice = 7 | u.Content length = 34 | offset = 4 | RF_Power_Capability = 4 | Exist_A5_bits = 0 | ES_IND = 1 | PS = 1 | VGCS = 0 | VBS = 0 | Exist_Multislot_capability = 0 | Exist_Eight_PSK_Power_Capability = 1 | Eight_PSK_Power_Capability = 2 | COMPACT_Interference_Measurement_Capability = 0 | Revision_Level_Indicator = 1 | UMTS_FDD_Radio_Access_Technology_Capability = 0 | UMTS_384_TDD_Radio_Access_Technology_Capability = 0 | CDMA2000_Radio_Access_Technology_Capability = 0 | UMTS_128_TDD_Radio_Access_Technology_Capability = 0 | GERAN_Feature_Package_1 = 1 | Exist_Extended_DTM_multislot_class = 0 | Modulation_based_multislot_class_support = 0 | Exist_HighMultislotCapability = 0 | Exist_GERAN_lu_ModeCapability = 0 | GMSK_MultislotPowerProfile = 3 | EightPSK_MultislotProfile = 3 | MultipleTBF_Capability = 0 | DownlinkAdvancedReceiverPerformance = 1 | ExtendedRLC_MAC_ControlMessageSegmentionsCapability = 1 | DTM_EnhancementsCapability = 1 | Exist_DTM_GPRS_HighMultislotClass = 0 | PS_HandoverCapability = 0 | DTM_Handover_Capability = NULL | FlexibleTimeslotAssignment = NULL | GAN_PS_HandoverCapability = NULL | RLC_Non_persistentMode = NULL | ReducedLatencyCapability = NULL | UplinkEGPRS2 = NULL | DownlinkEGPRS2 = NULL | EUTRA_FDD_Support = NULL | EUTRA_TDD_Support = NULL | GERAN_To_EUTRAN_supportInGERAN_PTM = NULL | PriorityBasedReselectionSupport = NULL | MS_RA_capability_value } | error: MS_RA_capability_value: too many elements (>2) in recursive array. Increase its size! } |DCSN1 ERROR csnStreamDecoder: error STREAM_NOT_SUPPORTED (-8) at MS_RA_capability_value (idx 131)
diff --git a/tests/rlcmac/RLCMACTest.ok b/tests/rlcmac/RLCMACTest.ok
index ffcaeb30..313511f3 100644
--- a/tests/rlcmac/RLCMACTest.ok
+++ b/tests/rlcmac/RLCMACTest.ok
@@ -144,3 +144,5 @@ decode_gsm_ra_cap() returns -5
 *** testMalformedRAcap ***
 === Test decoding of MS RA Capability ===
 decode_gsm_ra_cap() returns 0
+*** testRAcap2 ***
+=== Test decoding of multi-band MS RA Capability ===
author	Pau Espin Pedrol <pespin@sysmocom.de>	2020-03-23 14:35:26 +0100
committer	Pau Espin Pedrol <pespin@sysmocom.de>	2020-03-23 15:34:11 +0100
commit	efad80bfbffb2a35d2516e56dc40979f19c6c370 (patch)
tree	831ecb8135f941a4079bd474505d3caf361bc7b3 /tests
parent	81b40cbaf3070f70954663f68375100128bdc77e (diff)